Hai all, I developed an applet which make a socket connection to a server running in the host machine.. Now I fear some body could decompile my class files inside the jar file and get the port and simply write a program to extract all the information that I am writing to the socket at server side. Can any body tell me how could I prevent others from connecting to my server using other programs.
Note : I am using a selfsigned applet and I am sure I don't want to use SSLSocket. Thanks.. Shahabas
The greatest pleasure in life is doing what peoples say you can not do.
A client can not download all the information available from a server simply connecting to the server.
To add security to your connection the simplest way is to use SSL. Otherwise you would have to encrypt the messages sent between the client and the server and implement server authentication probably using certificates.
I have a server which is publishing news to a number of clients. Clients can make a socket connection to the IP (say 127.0.0.1) and port (say 6789) and get the news from the server. My client program is an applet. I want ONLY my applet to connect to the server.
But now anybody who knows the IP and port can connect to the server and get the news.
When I implement a server, I like to implement a little handshaking with my client before actually doing any work.
Something like this:
1. client connects to server. 2. server sends client "OK" message. 3. client must send server "let's roll" message to server.
If the server doesn't receive the "let's roll" message, then the connection is closed.
It's not anything like a secure server, but it may set your mind to rest concerning who is connecting to your server.
Joined: Feb 23, 2004
Yes... I can do handshaking. But, as you said, if I send a hardcoded string ("let's roll") to the server, anybody who is able to decompile my code can send this string to server and get the connection. Is it possible to generate something like a digital signature at the time of compilation, so that I can send this to the server for validation.
Joined: Jul 29, 2004
OK, now I understand your question a little better. I'm not sure about the digital signatures, but if I find something I'll post it here.
Have you tried sending a Properties object or a hashtable to your server?
The moment you publish your applet you also publish the wire protocol and anybody can access your server and send in requests. You have to fight the same problem as Yahoo that saw a third party chat client being built for their service. Their solution is to change the protocol frequently: